b"                                                       December 9, 2013\n\nThe Honorable Carolyn W. Colvin\nActing Commissioner\n\nThe Chief Financial Officers Act of 1990 (CFO) (Pub. L. No. 101-576), as amended, requires that the Social\nSecurity Administration\xe2\x80\x99s (SSA) Inspector General (IG) or an independent external auditor, as determined by the IG,\naudit SSA's financial statements in accordance with applicable standards. Under a contract monitored by the Office\nof the Inspector General (OIG), Grant Thornton, LLP, an independent certified public accounting firm, audited\nSSA's Fiscal Year (FY) 2013 financial statements. Grant Thornton, LLP, also audited the FY 2012 financial\nstatements presented in SSA\xe2\x80\x99s FY 2013 Agency Financial Report for comparative purposes. This letter transmits\nthe Grant Thornton, LLP, Independent Auditor\xe2\x80\x99s Report on the audit of SSA\xe2\x80\x99s FY 2013 financial statements. Grant\nThornton, LLP\xe2\x80\x99s, Report includes the following.\n\n     \xc2\xb7    Opinion on Financial Statements\n     \xc2\xb7    Opinion on Management's Assertion About the Effectiveness of Internal Control\n     \xc2\xb7    Report on Compliance and Other Matters\n\nObjective of a Financial Statement Audit\nThe objective of a financial statement audit is to obtain reasonable assurance that the financial statements are free of\nmaterial misstatement. An audit includes examining, on a test basis, evidence supporting the amounts and\ndisclosures in the financial statements. An audit also includes an assessment of the accounting principles used, and\nsignificant estimates made, by management as well as an evaluation of the overall financial statement presentation.\n\nGrant Thornton, LLP, conducted its audit in accordance with auditing standards generally accepted in the United\nStates; Government Auditing Standards issued by the Comptroller General of the United States; and Office of\nManagement and Budget (OMB) Bulletin No. 14-02, Audit Requirements for Federal Financial Statements. The\naudit included obtaining an understanding of the internal control, testing and evaluating the design and operating\neffectiveness of the internal control, and performing such other procedures as considered necessary under the\ncircumstances. Because of inherent limitations in any internal control, misstatements due to error or fraud may\noccur and not be detected. The risk of fraud is inherent to many of SSA\xe2\x80\x99s programs and operations, especially\nwithin the Supplemental Security Income program. In our opinion, people outside the organization perpetrate most\nof the fraud against SSA.\n\nAudit of Financial Statements, Effectiveness of Internal Control, and Compliance\nwith Laws and Regulations\nGrant Thornton, LLP, issued an unmodified opinion 1 on SSA\xe2\x80\x99s FY 2013 and 2012 financial statements. Grant\nThornton, LLP, also reported that SSA was maintaining effective internal control over financial reporting as of\nSeptember 30, 2013 based on criteria under OMB Circular A-123, Management\xe2\x80\x99s Responsibility for Internal\nControl, and the Federal Manager\xe2\x80\x99s Financial Integrity Act of 1982 (FMFIA).\n\n\n1\n Grant Thornton, LLP, issued an unqualified opinion on SSA\xe2\x80\x99s FY 2012 financial statements. The American Institute of\nCertified Public Accountants (AICPA) generally accepted auditing standard AU-C section 700.19 requires the auditor to express\nan \xe2\x80\x9cunmodified opinion\xe2\x80\x9d when the auditor concludes that the financial statements are presented fairly, in all material respects, in\naccordance with the applicable financial reporting framework for audits of financial statements ending on or after\nDecember 15, 2012. For consistency, we will refer to an unqualified opinion as an \xe2\x80\x9cunmodified opinion\xe2\x80\x9d for all fiscal years.\n\x0cPage 2 - The Honorable Carolyn W. Colvin\n\n\nHowever, Grant Thornton, LLP, did identify two significant deficiencies in internal controls.\n\nSignificant Deficiency \xe2\x80\x93 Information Systems Control\n\nIt is Grant Thornton, LLP\xe2\x80\x99s, opinion that SSA made significant progress in strengthening controls over its\ninformation systems to address the material weakness reported in FY 2012. While SSA made these significant\nefforts to strengthen controls over its systems and address weaknesses, Grant\xe2\x80\x99s Thornton, LLP\xe2\x80\x99s, FY 2013 testing\ncontinues to identify control issues in both design and operation of key controls. In its audit, Grant Thornton, LLP,\nidentified four deficiencies that, when aggregated, are considered to be a significant deficiency in the areas of\nInformation Systems Control. Specifically, Grant Thornton, LLP\xe2\x80\x99s, testing disclosed\n\n    1.   lack of a comprehensive Agency-wide policies and procedures related to vulnerability management,\n         including security vulnerability identification, prioritization, categorization, remediation, tracking, and\n         closure/validation;\n    2.   lack of comprehensive Agency-wide policies and procedures related to management of application and\n         system software changes, including identification of all critical types of changes, security categorization\n         and risk analysis for changes, testing requirements based on risk and requirements for the review and\n         approval of testing results;\n    3.   lack of controls related to the identification and monitoring of high-risk programs operating on the\n         mainframe; and\n    4.   weaknesses in logical access controls, such as access authorization, access removal, profile content, and\n         analysis review program and supporting profile controls.\n\nSignificant Deficiency \xe2\x80\x93 Calculation, Recording, and Prevention of Overpayments\n\nIn addition to the Information Systems Control significant deficiency, Grant Thornton, LLP, identified three\ndeficiencies in internal control that, when aggregated, are considered to be a significant deficiency related to\nweaknesses in internal controls related to Calculation, Recording, and Prevention of Overpayments. Specifically,\nGrant Thornton, LLP\xe2\x80\x99s, testing disclosed\n\n    1.   overpayment calculation errors with 38 percent of items selected in its statistical sample;\n    2.   system limitations where overpayment receivable installments extending past year 2049 are not\n         systematically tracked and reported; and\n    3.   a control failure where SSA was not reconciling key data fields between SSA internal databases, resulting\n         in overpayment errors.\n\nGrant Thornton, LLP, identified no reportable instances of noncompliance with the laws, regulations, or other\nmatters tested.\n\nOIG Evaluation of Grant Thornton, LLP, Audit Performance\nTo fulfill our responsibilities under the CFO Act and related legislation for ensuring the quality of the audit work\nperformed, we monitored Grant Thornton, LLP\xe2\x80\x99s, audit of SSA's FY 2013 financial statements by\n\n    \xc2\xb7    reviewing Grant Thornton, LLP\xe2\x80\x99s, audit approach and planning;\n    \xc2\xb7    evaluating its auditors qualifications and independence;\n    \xc2\xb7    monitoring the audit\xe2\x80\x99s progress at key points;\n    \xc2\xb7    examining Grant Thornton, LLP\xe2\x80\x99s, documentation related to planning the audit, assessing SSA's internal\n         control, and substantive testing;\n    \xc2\xb7    reviewing Grant Thornton, LLP\xe2\x80\x99s, audit report to ensure compliance with Government Auditing Standards\n         and OMB Bulletin No. 14-02;\n\x0cPage 3 - The Honorable Carolyn W. Colvin\n\n\n    \xc2\xb7   coordinating the issuance of the audit report; and\n    \xc2\xb7   performing other procedures we deemed necessary.\n\nGrant Thornton, LLP, is responsible for the attached auditor\xe2\x80\x99s report, dated December 9, 2013, and the opinions and\nconclusions expressed therein. The OIG is responsible for technical and administrative oversight regarding Grant\nThornton, LLP\xe2\x80\x99s, performance under the terms of the contract. Our review, as differentiated from an audit in\naccordance with applicable auditing standards, was not intended to enable us to express, and, accordingly, we do not\nexpress an opinion on SSA\xe2\x80\x99s financial statements, management\xe2\x80\x99s assertions about the effectiveness of its internal\ncontrol over financial reporting, or SSA\xe2\x80\x99s compliance with certain laws and regulations. However, our monitoring\nreview, as qualified above, disclosed no instances where Grant Thornton, LLP, did not comply with applicable\nauditing standards.\n\nConsistent with our responsibility under the Inspector General Act, we are providing copies of this report to\nappropriate congressional committees with oversight and appropriation responsibilities over SSA. In addition, we\nwill post a copy of the report on our public Website.\n\n\n\n\n                                                         Patrick P. O\xe2\x80\x99Carroll, Jr.\n                                                         Inspector General\n\nEnclosure\n\x0c                                                                                           Audit \xe2\x80\x93 Tax \xe2\x80\x93 Advisory\n                                                                                           Grant Thornton LLP\n                                                                                           333 John Carlyle Street, Suite 400\n                                                                                           Alexandria, VA 22314-5745\n                                                                                           T 703.837.4400\n                                                                                           F 703.837.4455\n                                                                                           www.GrantThornton.com\n\nThe Honorable Carolyn W. Colvin\nActing Commissioner\nSocial Security Administration\n\n                                  INDEPENDENT AUDITOR\xe2\x80\x99S REPORT\nIn our audit of the Social Security Administration (SSA), we found:\n\n    \xc2\xb7    The consolidated balance sheets of SSA as of September 30, 2013 and 2012, the related consolidated\n         statements of net cost and changes in net position, the combined statements of budgetary resources for the\n         years then ended, the statements of social insurance as of January 1, 2013 and January 1, 2012 and\n         statement of changes in social insurance amounts for the periods January 1, 2012 to January 1, 2013 and\n         January 1, 2011 to January 1, 2012 are presented fairly, in all material respects, in conformity with\n         accounting principles generally accepted in the United States of America;\n    \xc2\xb7    Management fairly stated that SSA\xe2\x80\x99s internal control over financial reporting was operating effectively as\n         of September 30, 2013; and\n    \xc2\xb7    No reportable instances of noncompliance with laws, regulations, or other matters tested.\n\nThe following sections outline each of these conclusions in more detail.\n\nOPINION ON FINANCIAL STATEMENTS\nWe have audited the accompanying consolidated balance sheets of SSA as of September 30, 2013 and 2012, the\nrelated consolidated statements of net cost and changes in net position, the combined statements of budgetary\nresources for the years then ended, the statements of social insurance as of January 1, 2013, January 1, 2012,\nJanuary 1, 2011, and January 1, 2010 and the statements of changes in social insurance amounts for the periods\nJanuary 1, 2012 to January 1, 2013 and January 1, 2011 to January 1, 2012. The statement of social insurance as of\nJanuary 1, 2009 was audited by other auditors whose reports dated November 9, 2009 expressed an unmodified\nopinion on those statements.\n\nManagement\xe2\x80\x99s Responsibility for the Financial Statements\n\nManagement is responsible for the preparation and fair presentation of these financial statements in accordance with\naccounting principles generally accepted in the United States of America; this includes the design, implementation,\nand maintenance of internal control relevant to the preparation and fair presentation of financial statements that are\nfree from material misstatement, whether due to fraud or error.\n\x0cAuditor\xe2\x80\x99s Responsibility\n\nOur responsibility is to express an opinion on these financial statements based on our audits. We conducted our\naudits in accordance with auditing standards generally accepted in the United States of America; the standards\napplicable to financial audits contained in Government Auditing Standards, issued by the Comptroller General of the\nUnited States; and Office of Management and Budget (OMB) Bulletin No. 14-02, Audit Requirements for Federal\nFinancial Statements. Those standards and OMB Bulletin No. 14-02 requires that we plan and perform the audit to\nobtain reasonable assurance about whether the financial statements are free of material misstatement.\n\nAn audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial\nstatements. The procedures selected depend on the auditor\xe2\x80\x99s judgment, including the assessment of the risks of\nmaterial misstatement of the financial statements, whether due to fraud or error. In making those risk assessments,\nthe auditor considers internal control relevant to the entity\xe2\x80\x99s preparation and fair presentation of the financial\nstatements in order to design audit procedures that are appropriate in the circumstances. An audit also includes\nevaluating the appropriateness of accounting policies used and the reasonableness of significant accounting\nestimates made by management, as well as evaluating the overall presentation of the financial statements.\n\nWe believe that the audit evidence we have obtained is sufficient and appropriate to provide a reasonable basis for\nour opinion.\n\nOpinion\n\nIn our opinion, the financial statements referred to above and presented on pages 40 through 74 of this Agency\nFinancial Report (AFR), present fairly, in all material respects, the financial position of SSA as of September\n30, 2013 and 2012, its net cost of operations, changes in net position, and budgetary resources for the years then\nended, the financial condition of its social insurance program as of January 1, 2013, January 1, 2012,\nJanuary 1, 2011, and January 1, 2010 and changes in social insurance amounts for the period January 1, 2012 to\nJanuary 1, 2013 and January 1, 2011 to January 1, 2012, in conformity with accounting principles generally\naccepted in the United States of America.\n\nAs discussed in Note 17 to the financial statements, the statements of social insurance present the actuarial present\nvalue of SSA's estimated future income to be received from or on behalf of the participants and estimated future\nexpenditures to be paid to or on behalf of participants during a projection period sufficient to illustrate long-term\nsustainability of the social insurance program. In preparing the statement of social insurance, management considers\nand selects assumptions and data that it believes provide a reasonable basis for the assertions in the statements.\nHowever, because of the large number of factors that affect the statement of social insurance and the fact that future\nevents and circumstances cannot be known with certainty, there will be differences between the estimates in the\nstatement of social insurance and the actual results, and those differences may be material.\n\nOPINION ON MANAGEMENTS ASSERTION ABOUT THE EFFECTIVENESS OF INTERNAL CONTROL\nWe have examined managements assertion as of September 30, 2013, based on criteria established under 31 U.S.C.\n3512(c), (d), the Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982 (FMFIA), and the OMB Circular No. A-123,\nManagement\xe2\x80\x99s Responsibility for Internal Control. We did not test all internal controls, relevant to the operating\nobjectives broadly, defined by FMFIA. SSA\xe2\x80\x99s management is responsible for maintaining effective internal control\nover financial reporting and for its assertion of the effectiveness of internal control over financial reporting included\nin the accompanying FMFIA Assurance Statement on page 31 of this AFR. Our responsibility is to express an\nopinion on managements assertion based on our examination.\n\nWe conducted our examination in accordance with attestation standards established by the AICPA; and internal\ncontrol audit requirements included in OMB Bulletin No. 14-02. Attestation standards require that we plan and\nperform the examination to obtain reasonable assurance about whether effective internal control over financial\nreporting was maintained in all material respects. Our examination included obtaining an understanding of internal\ncontrol over financial reporting, assessing the risk that a material weakness exists, testing and evaluating the design\n\n\n                                                                                                                          2\n\x0cand operating effectiveness of internal control based on the assessed risk, and performing such other procedures as\nwe considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our\nopinion.\n\nAn Agency\xe2\x80\x99s internal control over financial reporting is a process affected by those charged with governance,\nmanagement, and other personnel, designed to provide reasonable assurance regarding the preparation of reliable\nfinancial statements in accordance with generally accepted accounting principles. An Agency\xe2\x80\x99s internal control over\nfinancial reporting includes those policies and procedures that ( 1 ) pertain to the maintenance of records that, in\nreasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the Agency;\n( 2 ) provide reasonable assurance that transactions are recorded as necessary to permit preparation of financial\nstatements in accordance with generally accepted accounting principles, and that receipts and expenditures of the\nAgency are being made only in accordance with authorizations of management and those charged with governance;\nand ( 3 ) provide reasonable assurance regarding prevention, or timely detection and correction of unauthorized\nacquisition, use, or disposition of the Agency\xe2\x80\x99s assets that could have a material effect on the financial statements.\n\nBecause of its inherent limitations, internal control over financial reporting may not prevent, or detect and correct\nmisstatements. Also, projections of any evaluation of effectiveness to future periods are subject to the risk that\ncontrols may become inadequate because of changes in conditions, or that the degree of compliance with the\npolicies or procedures may deteriorate.\n\nA deficiency in internal control over financial reporting exists when the design or operation of a control does not\nallow management or employees, in the normal course of performing their assigned functions, to prevent or detect\nand correct misstatements on a timely basis.\n\nA material weakness is a deficiency, or a combination of deficiencies, in internal control over financial reporting,\nsuch that there is a reasonable possibility that a material misstatement of the Agency's financial statements will not\nbe prevented, or detected and corrected on a timely basis. No deficiencies in internal control were identified that\nwere considered material weaknesses. However, material weakness may exist that have not been identified.\n\nA significant deficiency is a deficiency, or a combination of deficiencies, in internal control over financial reporting\nthat is less severe than a material weakness, yet important enough to merit attention by those charged with\ngovernance. We identified certain deficiencies that, in the aggregate, are considered a significant deficiency in the\nareas of Information Systems Controls and Controls over Calculation, Recording and Prevention of Overpayments.\n\n                   SIGNIFICANT DEFICIENCY - INFORMATION SYSTEMS CONTROLS\nSSA\xe2\x80\x99s business processes which generate the information included in financial statements are dependent upon the\nAgency\xe2\x80\x99s information systems. A comprehensive and effective internal control program over these systems is\nparamount to the reliability, integrity, and confidentiality of data while mitigating the risk of errors, fraud, and other\nillegal acts.\n\nOverview\n\nManagement relies extensively on information systems operations for the administration and processing of the\nTitle II and Title XVI programs, to both process and account for their expenditures, as well as for financial\nreporting. Internal controls over these environments are essential for the reliability, integrity, and confidentiality of\nthe program\xe2\x80\x99s data and mitigate the risks of error, fraud and other illegal acts.\n\nOur internal control testing covered both general and application controls. General Controls encompass the\nentity-wide security program (EWSP), access controls (physical and logical), configuration and change\nmanagement, segregation of duties, and service continuity/contingency planning. General controls provide the\nfoundation for the integrity of systems including applications and the system software which make up the general\nsupport systems of the major applications. General controls, combined with application level controls, are critical to\nensure accurate and complete processing of transactions and integrity of stored data. Application controls include\n\n\n                                                                                                                            3\n\x0ccontrols over input, processing of data, and output of data as well as interface, master file, and other user controls.\nThese controls provide assurance over the completeness, accuracy, and validity of data. Our examination included\ntesting of the Agency\xe2\x80\x99s mainframe, networks, databases, applications, and other supporting systems and was\nconducted at headquarters, as well as, off-site locations such as Disability Determination Services (DDS) Centers\nand field offices (FOs).\n\nDeficiencies Noted in Information Systems\n\nSSA made significant progress in strengthening controls over its information systems to address the material\nweakness reported in FY 2012. In response to the material weakness SSA developed functional remediation teams\nto investigate issues, identify root causes, and implement corrective actions. Each functional remediation team, with\noversight from SSA leadership, took risk-based approaches to remediation\xe2\x80\x94addressing higher risk areas\nimmediately, and planning for future security enhancements. Management\xe2\x80\x99s risk based approach included\ncorrection of vulnerabilities identified through our specific tests, as well as, development and implementation of\ninstitutionalized and repeatable processes to prevent future weaknesses.\n\nWhile SSA made these significant efforts to strengthen controls over its systems and address weaknesses, our\nFY 2013 testing continues to identify control issues in both design and operation of key controls. We believe that in\nmany cases these deficiencies continue to exist because of one or a combination of the following:\n\n    \xc2\xb7    Control enhancements and newly designed controls require additional time to effectuate throughout the\n         environment;\n    \xc2\xb7    By focusing resources on higher risk weaknesses, SSA was unable to implement corrective action for all\n         aspects of the prior year issues; and/or\n    \xc2\xb7    The design and/or operational effectiveness of enhanced or newly designed controls did not completely\n         address risks.\n\nWe noted deficiencies in the following areas that contribute to the significant deficiency:\n\n    \xc2\xb7    Threat Identification and Vulnerability Management\n    \xc2\xb7    Change Management\n    \xc2\xb7    Mainframe Security\n    \xc2\xb7    Access Controls/Segregation of Duties\n\nThreat Identification and Vulnerability Management\n\nSoftware should be scanned and updated frequently to guard against security threats. Effective vulnerability and\npatch management as well as virus protection programs ensure that security threats are identified, risks are assessed,\nand actions are taken to prevent inappropriate access or software errors within an organization\xe2\x80\x99s Information\nTechnology environment. Our testing identified the following issue:\n\n    \xc2\xb7    Lack of a comprehensive Agency-wide policy and procedures related to vulnerability management,\n         including security vulnerability identification, prioritization, categorization, remediation, tracking, and\n         closure/validation.\n\n         During our internal penetration testing we were able to take advantage of software vulnerabilities,\n         misconfigurations, and restricted information and ultimately assume control over two servers, the Windows\n         domain, as well as, gaining access to the mainframe without detection. This is the third successive year we\n         have gained control of the SSA Windows system without detection. During subsequent assessments of the\n         Agency\xe2\x80\x99s overall vulnerability management process, we noted that a key scanning tool was not being fully\n         used to identify vulnerabilities across SSA\xe2\x80\x99s network, and that Agency-wide comprehensive policies and\n         procedures on vulnerability management were not established.\n\n                                                                                                                          4\n\x0c        The Agency corrected the specific software vulnerabilities identified during our penetration testing,\n        developed configuration standards for the software, and began using more capabilities of the scanning tool.\n        However, without a comprehensive process in place, security threats may not be appropriately prioritized\n        and remediated.\n\nChange Management\n\nChange management processes provide assurance that software, data, and other changes associated with information\nsystems are approved and tested so they do not introduce functional or security risks. A disciplined process for\ntesting, approving, and migrating changes between environments, including into production, is essential to ensure\nthat systems operate as intended and that no unauthorized changes are implemented. Our testing identified the\nfollowing issue:\n\n    \xc2\xb7   Lack of comprehensive Agency-wide policy and procedures related to management of application and\n        system software changes, including identification of all critical types of changes, security categorization\n        and risk analysis for changes, testing requirements based on risk and requirements for the review and\n        approval of testing results.\n\n        While our testing demonstrated that change management activities were occurring for both application and\n        system software changes, the Agency had not fully documented a comprehensive policy and procedures\n        covering the entirety of change management processes conducted by the Agency. Our testing noted the\n        following:\n\n          o   System Software - An impact/risk assessment to determine the security implications for mainframe\n              changes did not occur. Further, for the majority of changes tested, we noted that developers were\n              responsible for testing their own changes and implementing these changes into production. While\n              Management performed a review to validate that updates made were associated with an approved\n              change, there were no requirements nor guidance related to the types of testing to be performed\n              (including security reviews), nor for retention or independent review of testing documentation, nor\n              validation that the change made was limited to the requirements in the approved change ticket.\n          o   Application Changes - We noted instances where evidence to support testing and other requirements\n              could not be provided.\n\n        These issues increase the risk that changes to applications and supporting system software, that may impact\n        benefit claim processing, payments, or financial data, do not function as intended or introduce security\n        risks.\n\nMainframe Security\n\nMainframe system software includes programs that are essential to the effective functioning of the operating system.\nSome of these programs act as an extension of the operating system and therefore are required to access restricted\nfunctions and can override security. Maintaining an authorized listing of high risk programs and implementing\nappropriate change and monitoring controls is essential to mainframe security. Our testing identified the following\nissue:\n\n    \xc2\xb7   Lack of controls related to the identification and monitoring of high-risk programs operating on the\n        mainframe.\n\n        The Agency had not finalized and fully implemented controls associated with ensuring that privileged\n        programs have been approved, can only be modified appropriately, and pose no security risks.\n        Management continues to make control enhancements, including but not limited to, identifying privileged\n        programs, the review of privileged programs from a security perspective, access restrictions to all\n        privileged programs, and change/monitoring control enhancements.\n\n\n\n                                                                                                                      5\n\x0c         Without appropriate controls, there is an increased risk that the security posture and controls may be\n         bypassed or compromised.\n\nAccess Controls/Segregation of Duties\n\nAccess controls provide assurance that critical systems assets are physically safeguarded and that logical access to\nsensitive applications, system utilities, and data is provided only when authorized and appropriate. These controls\nmitigate the inherent risk that unauthorized users and computer processes cannot access sensitive data, as well as,\nthat users are not given access to system functions that could create a segregation of duties conflict. Weaknesses in\nsuch controls can compromise the integrity of sensitive data and increase the risk that such data may be\ninappropriately accessed and/or disclosed. Our testing identified the following issues with logical access controls:\n\n    \xc2\xb7    Access Authorization\n\n         Our testing identified control failures related to the appropriate completion of authorization forms.\n         Included in these control failures were instances of new hires, transferred employees, and contractors.\n\n    \xc2\xb7    Access Removal\n\n         Our testing identified control failures related to the timely removal of logical access for terminated\n         employees\xe2\x80\x99 logical access to the mainframe, network, and other supporting systems. Included in these\n         control failures were instances of SSA employees and state DDS employees who retained access after they\n         were terminated. Additionally, SSA did not have an authoritative source to identify and manage all\n         contractors and therefore was unable to supply actual departure dates for contractors to substantiate timely\n         removal of access.\n\n    \xc2\xb7    Profile Content and Analysis Review Program and Supporting Profile Controls\n\n         SSA Management continues to make progress in assessing profile content to validate that profiles only\n         provide access to the minimal resources required for users to complete job functions. However, SSA had\n         not completed the review of all profiles that are relevant to critical applications and supporting systems nor\n         had SSA completed other profile quality initiatives including, but not limited to, some control\n         enhancements.\n\nAs a result of these deficiencies, we noted numerous issues of unauthorized and inappropriate access including\napplication developers (programmers) with unmonitored access to production data and application transactions,\naccess to key transactions and data, key change management libraries, and other sensitive system software\nresources.\n\nRecommendations\n\nIn order to mitigate the risks of the issues noted in the significant deficiency, management should consider:\n\n    \xc2\xb7    Formally documenting comprehensive policies and procedures related to (1) threat identification and\n         vulnerability management and (2) application and system software change management that addresses\n         issues noted.\n    \xc2\xb7    Developing a comprehensive program to identify and monitor high risk programs operating on the\n         mainframe.\n    \xc2\xb7    Analyzing current access authorization and removal processes to determine if current controls mitigate the\n         risk of unauthorized access and modify controls considering automation and monitoring.\n    \xc2\xb7    Continuing, as part of the SSA profile quality program, additional profile content reviews and other key\n         profile improvement initiatives.\n\n\n\n                                                                                                                        6\n\x0c            SIGNIFICANT DEFICIENCY - CALCULATION, RECORDING AND PREVENTION\n                                    OF OVERPAYMENTS\n\nOverview\n\nBenefit overpayments occur when beneficiaries receive payments beyond their entitled amount. Upon detection of\nan overpayment, the agency records an accounts receivable with the public to reflect the amount due to SSA from\nthe beneficiary. Due to the nature of the benefit payment programs, SSA has extensive operations geographically\ndispersed throughout the United States. Overpayment detection, calculation, and documentation can take place in\nvarious places, including approximately 1,300 Field Offices (FOs) or eight Program Service Centers (PSCs).\nTherefore, SSA has specific policies and procedures in place to ensure consistent treatment and documentation of\noverpayments and the related accounts receivable balances. Since this process can be complex for some cases and\nrelies heavily on manual input, SSA\xe2\x80\x99s adherence to its policies and procedures is critical to correct and timely\ndecisions, and accurately tracking balances. Management also relies heavily on its Information Technology\ninfrastructure, interfaces and controls to record and prevent erroneous payments.\n\nDeficiencies in Overpayment Calculations and Records\n\nSimilar to prior years, Grant Thornton noted deficiencies in the documentation maintained around overpayments.\nDuring the current year, we selected a statistical sample of overpayments and noted overpayment calculation errors\nwith 38 percent of the items selected. Although the impact of these errors is not deemed material, these errors\nevidence further control weaknesses in the overpayment process, including inappropriate overpayment tracking.\n\nDeficiencies in Overpayment Records and Tracking\n\nLarge overpayment balances are often paid back to SSA in monthly installments. Payments of these installments\ncan go beyond the year 2049. SSA has identified a systems limitation where receivable installments extending past\n2049 are not tracked and reported systematically. Therefore, the accounts receivable balances related to these\noverpayments is understated. The projected understatements are immaterial. This issue has been previously\ndiscussed in Government Accountability Office (GAO) reports and continues to be studied by the agency.\n\nDuring our testing of overpayments, we encountered samples where the 2049 situation contributed to manual errors.\nWhile the agency is working on enhancing the capabilities to properly account for these receivables and updating\npolicies to avoid longer term repayment programs, failure to resolve the 2049 issue will continue to increase the\nlikelihood of manual errors as well as continue to understate accounts receivable balances.\n\nDeficiencies in Overpayment Prevention\n\nDuring our Computer Assisted Auditing Techniques (CAATs), we identified certain key data fields, such as Date of\nDeath, which did not agree between SSA internal databases. As a result, our testing detected overpayments issued\nto a limited number of deceased individuals. While these cases were clearly immaterial to SSA financial statements,\nthey were indicative of a control failure where SSA was not reconciling data between systems to detect\ndiscrepancies which could lead to payment errors. While overpayments occur for many reasons, SSA should take\nall possible actions under their control to prevent and detect overpayments. Failure to detect overpayments results in\ncontinued erroneous benefit payments and unrecorded corresponding accounts receivable. The longer an\noverpayment goes undetected, the greater the overpayment balance becomes and the lower the chance of accounts\nreceivable collections.\n\nRecommendations\n\nIn order to mitigate the risks of the issues noted in the significant deficiency, management should consider:\n\n\n\n\n                                                                                                                     7\n\x0cDeficiencies in Overpayment Calculations and Records\n\n    \xc2\xb7    Performing a risk based analysis on current overpayment balances to detect and correct errors in existing\n         overpayment balances, considering manual intervention, balance, and age.\n    \xc2\xb7    Enhancing documentation requirements and improve overpayment documentation tools to ensure\n         overpayments are completely, accurately, and timely documented by FOs or PSCs within the appropriate\n         systems of record.\n    \xc2\xb7    Increasing management review over manual transactions impacting overpayment balances.\n\nDeficiencies in Overpayment Records and Tracking\n\n    \xc2\xb7    Evaluating technical enhancements that will address payment plans that extend beyond the year 2049.\n    \xc2\xb7    Evaluating changes in repayment plans to minimize future long term repayment plans.\n\nDeficiencies in Overpayment Prevention\n\n    \xc2\xb7    Enhancing periodic reconciliations between SSA data which can impact payment amounts.\n\nIn our opinion, management's assertion that SSA maintained effective internal control over financial reporting as of\nSeptember 30, 2013 is fairly stated, in all material respects, based on criteria established under FMFIA and OMB\nCircular No. A-123.\n\nREPORT ON COMPLIANCE AND OTHER MATTERS\nThe management of SSA is responsible for compliance with laws and regulations. As part of obtaining reasonable\nassurance about whether the basic financial statements are free of material misstatement, we performed tests of\ncompliance with laws and regulations, including laws governing the use of budgetary authority, government-wide\npolicies and laws identified in Appendix E of OMB Bulletin No. 14-02, and other laws and regulations,\nnoncompliance with which could have a direct and material effect on the financial statements. Under the Federal\nFinancial Management Improvement Act of 1996 (FFMIA), we are required to report whether SSA\xe2\x80\x99s financial\nmanagement systems substantially comply with the Federal financial management systems requirements, applicable\nFederal accounting standards, and the United States Government Standard General Ledger at the transaction level.\nTo meet this requirement, we performed tests of compliance with FFMIA section 803(a) requirements.\n\nWe did not test compliance with all laws and regulations applicable to SSA. We limited our tests of compliance to\nthe provisions of laws and regulations cited in the preceding paragraph of this report. Providing an opinion on\ncompliance with those provisions was not an objective of our audit and, accordingly, we do not express such an\nopinion.\n\nThe results of our test of compliance disclosed no instances of noncompliance with laws and regulations or other\nmatters that are required to be reported under Government Auditing Standards or OMB Bulletin No. 14-02, and no\ninstances of substantial noncompliance that are required to be reported under FFMIA.\n\nOther Matters\n\nThe Management\xe2\x80\x99s Discussion and Analysis (MD&A) included on pages 5 through 36, and the Required\nSupplementary Information (RSI) included on pages 75 and 81 through 92 of this AFR are not a required part of the\nbasic financial statements but are supplementary information required by the Federal Accounting Standards\nAdvisory Board and OMB Circular A-136, Financial Reporting Requirements. This required supplementary\ninformation is the responsibility of management. We have applied certain limited procedures to the required\nsupplementary information in accordance with auditing standards generally accepted in the United States of\nAmerica established by the AICPA. These limited procedures consisted of inquiries of management about the\nmethods of preparing the information and comparing the information for consistency with management\xe2\x80\x99s responses\n\n\n                                                                                                                       8\n\x0cto our inquiries, the basic financial statements, and other knowledge we obtained during our audit of the basic\nfinancial statements. We do not express an opinion or provide any assurance on the information because the limited\nprocedures do not provide us with sufficient evidence to express an opinion or provide any assurance.\n\nOther Information\n\nThe other information included on pages 1 through 4, 37 through 39, 76 through 80, 93 through 95 and 105 to the\nend of this AFR, is presented for purposes of additional analysis and is not a required part of the basic financial\nstatements. Such information has not been subjected to the auditing procedures applied in the audit of the basic\nfinancial statements, and accordingly, we express no opinion on it.\n\nOur report is intended solely for the information and use of management of SSA, the Office of the Inspector\nGeneral, the OMB, the Government Accountability Office, and Congress and is not intended to be and should not be\nused by anyone other than these specified parties.\n\n\n\n\nAlexandria, Virginia\nDecember 9, 2013\n\n\n\n\n                                                                                                                      9\n\x0c"